There are general distributed monitoring solutions like Cisco’s NetFlow, which op-erate on the transport and network layer, and SIP monitoring solutions like Sipient’s SIPFlow, which are designed to monitor single SIP servers. However, still there is only few work done trying to integrate those two concepts.
There has been some work on using IPFIX for SIP monitoring. In [Lee et al. 2007]
a scheme is presented, which extracts the RTP flow information from SIP packets
and proposes IPFIX templates for this information and RTP flows. But since these templates are fixed and are focused on the performance metrics of the RTP flows, the applicability is very limited. Another implementation, which uses IPFIX for the transport of a few RTP QoS metrics by defining new IEs is presented in [Øslebø and Kvittem 2007], but no SIP monitoring is considered here.
In the wider field of VoIP monitoring there is an interesting distributed architecture outlined in [Acharya et al. 2007]. It consists of SIP classifiers located at SIP proxies, which export the gathered information to a SIP Transaction Monitor that tracks the call states. This approach is focusing on SIP itself and does not address the correlation with media stream monitoring.
The solution presented in [Lindh and Roos 2006] is triggering RTP monitoring by information gathered from the SIP signaling, but is depending on direct interaction with the SIP proxy and has not a distributed architecture.
5.11 Chapter Summary
In this chapter we presented SIPFIX, a flexible and distributed scheme for mon-itoring both the control and user data plane of SIP traffic. It is based on the general purpose monitoring standard IPFIX, which is expected to have soon a high acceptance. This again will make deployment of SIPFIX more feasible and cost-effective. The proposed IPFIX extensions in order to support SIP monitoring comprise
I new Information Elements for SIP and media related data,
I flow types definitions for SIP traffic, media traffic and media descriptions, and
I components which process the new data structures.
The use of Mediators helps to distribute the higher processing and bandwidth needs introduced by the application layer data analysis. In different use case examples we showed that SIPFIX can cope with many of the typical challenges of SIP monitoring,
92 5. Distributed Monitoring of VoIP Traffic: SIPFIX
like for example correlation of separated SIP and media flows, end-to-end QoS monitoring and various security inspections.
But still, SIPFIX is just a framework. An important future work is the defini-tion and implementadefini-tion of applicadefini-tion-specific SIPFIX profiles in accordance to the use case examples that maintain interoperability of SIPFIX based compo-nents.
Chapter 6 Conclusion
In this chapter we will conclude what we have learned from the work presented in this dissertation, give a concise summary of the original contributions and a short outlook.
In this dissertation we addressed open issues in the field of flow-based network traffic measurements and proposed solutions or improvements for them. (See figure 6.1.)
Although the importance of the Internet and IP networks for the communicative and informational life constantly increases, it is becoming more and more difficult to observe what is happening in the network, because of the increasing bandwidth of the link technologies, the growing network topology and the resulting vast amounts of measurement data. In order to handle these amounts of data, it is important to find better solutions for problems like the analysis and presentation of data in a human-readable format, the long-term storage of the data and the scalability of the measurement infrastructure.
The flow data reduction method Mouse Trapping introduced and evaluated in chapter 3 is based on the observation that only few flows are responsible for most of the traffic. It can – depending on the traffic mix – reduce the flow data by about 90% while only information about 5% of the traffic is lost. Since for most applications a loss is acceptable, this method can improve long-term storage by removing the small flows after some time. It can also improve the scalability of measurement infrastructures if applied in mediators that forward the large flows to the collector.
94 6. Conclusion
Figure 6.1:Diagram of open issues of flow-based network measurements and their relation to the solutions presented in this work.
The software toolFloXdescribed in chapter 4 solves the analysis and presentation problem for the case of sudden high traffic events by – similar to Mouse Trapping – focusing on the large flows of a dynamically selectable subspace of the flow data in an iterative »drill down« approach.
The wide spread deployment of application layer based server virtualization and overlay network infrastructures make it useful or even necessary to extend the measurement technologies to the observation of application layer parameters. The SIPFIX framework presented in chapter 5 is such an extension for the widely used SIP protocol on basis of the flow export standard IPFIX. Because of its distributed structure, SIPFIX is able to monitor SIP sessions including their related media streams, also for the common case that they take different paths and therefore are measured at different observation points.
6.1 Summary of Contributions
The original contributions presented in this dissertation can be summarized as follows:
Mouse Trapping
1. Evaluation of a reduction method with real traffic measurements that can be highly effective, depending on the traffic mix.
2. Numerical simulations which show that the method works generally for any flow data with power-law distributed flow sizes.
3. Examination of the power-law characteristics of real traffic measurements for various types of traffic.
FloX
1. Design of a concept to examine high traffic events on the basis of large amounts of flow data in an interactive »drill-down« approach.
2. Implementation ofFloX, a proof of concept tool that is freely available as a open source web application.
SIPFIX
1. Design of a distributed monitoring architecture for SIP networks that includes the media streams.
2. Extensive description of use case examples for such an architecture.
3. Example of an integrated and distributed measurement infrastructure for both network and application layer.
4. First extensive use of the extensibility of the new IPFIX internet standard.
96 6. Conclusion